1.1 Definitions

• CyberTwice ATTEST (services) - The Microsoft Azure-based Attestation service from CyberTwice which allows for the Capture and replay(Communicate) of enterprise communication & surveillance Interactions, enabling Attestation (Comply)
• ATTEST Replay - The Microsoft Teams App (Application), which allows a user to search & replay Interaction captured in the CyberTwice ATTEST Service
• ATTEST Management Portal - The web portal which allows for the administration of the CyberTwice ATTEST Service
• Attestation -  an act of showing or evidence showing that something is true ⁽¹⁾
• Interaction - An interaction is a (enterprise) communication or surveillance stream captured within the CyberTwice ATTEST Service, examples are Microsoft Teams calls, (Microsoft Teams) phone calls, Microsoft Teams meetings, public announcement (paging systems), intercoms calls or camera footage.
• Pricing Component - The drivers of cost within the CyberTwice ATTEST Service as defined in §2.3
• Type - the type of media used within an Interaction, e.g., video, audio
• Recording Hour - see §2.3
• Overage - see §2.3
• Storage - see §2.3
• Microsoft (MS) Marketplace - being both Microsoft Azure Marketplace and the Microsoft AppSource
• Transcription - see §2.3
• Recorded User / Group - see §2.3
• Pricing Plan or Plan see §2.1
• Advanced Services -  see §2.2
• Microsoft Cognitive Services - services inherent to Microsoft Azure (please refer to Azure Cognitive Services)
• Retention Period - See §2.3

2. Pricing Plans

2.1 The CyberTwice ATTEST Service is offered via the Microsoft Marketplace, where four Pricing Plans are available, namely:

• "Per User"
• "Starter"
• "SMB" (Small to Medium size Businesses)
• "Business"

2.2 The price for each Plan is given on the CyberTwice ATTEST Pricing page. Each Plan is based on a combination of two elements, namely:

• Fixed monthly fee, which includes a defined recording and storage volume, respectively, Recording Hours and Storage (in GiB). The "Per User" Plan, also includes the number of users under recording, or Recorded Users, as elaborated on in §2.3
• Variable fee, which can be on
  • Overage, being the volume exceeding the volume included in the respective Pricing Plan for each Pricing Component, i.e., the  Recording Hours and Storage (and for the "Per User" plan, the Recorded Users);
  • Advanced Services, being features and functionality, typically Microsoft Azure Cognitive Services switched on within the CyberTwice ATTEST Management Portal or the ATTEST Replay application, e.g., the speech-text service (Transcription) 

2.3 Pricing Components
The CyberTwice Attest Services pricing is based on the following Pricing Components:

• Recording Hours - The duration of the captured interaction, i.e., a teams call, meeting, or "phone call" (Interaction). This metric is irrespective of the media type (Type) in the interaction, so it can include audio, video, or screen capture. 
• Storage - The total storage capacity in GiB used. The storage used is dependent on multiple factors, namely Recording Hours, Type, and the period during which the Interaction must remain stored in CyberTwice ATTEST (Retention Period)
• Recorded User - A user is known in the Microsoft Active Directory that has been placed in the recorded (Microsoft Azure) group (Recorded Group), for which all Interactions will be recorded in CyberTwice ATTEST. (is only a Pricing Component in the "User" Plan)
• Transcription - An Advanced Service comprising the conversion of the audio in an Interaction to a text (speech-to-text), whereby the duration (in minutes) of the Interaction is the measure of calculation (see §2.4).

2.4 Pricing metrics
The Pricing Components given in §2.3 are, or have underlying, metrics resulting in the actual pricing. We determine the various pricing metrics as follows:

• Time - All time-related pricing components are calculated in seconds (rounded to 5 decimals), which are subsequently converted into minutes or hours by division by 60 or 3,600 (rounded to 3 decimals). Each time-based Pricing Component (e.g. Recording Hours and Transcription) is forwarded to the MS Marketplace on a daily basis (at 01:00 UTC).
• Recording Hours. Time is accumulated on a monthly basis and the exemption is deducted automatically by the Microsoft Marketplace, such that only the Overage is ultimately charged (on a monthly basis);
• Storage GiB -
  • The Storage is calculated by adding all the bytes in all (blob) storages allocated to one tenant together, which may include all help files (i.e. wav-file for the speech-to-text, the output of the speech-to-text, subtitles, etc.).
  • Only the storage (blob) size is counted and not any additional metadata to the storage (blob).
  • For encrypted data in the storage (blob), additional 60 bytes of overhead is added per 4 MiB of stored data.
  • Every 6 hours, the storage size (blob) is calculated. Every day, the maximum of these 4 values is taken and divided by (1024 * 1024 * 1024) to arrive at the total Storage used in GiBs.
  • Subsequently, the exemption (amount included in the purchased Pricing Plan) is deducted, and if the result is greater than 0 (rounded to 3 decimals), i.e., the Overage, is sent to the MS Marketplace daily (at 01:00 UTC) and charged at the daily rate (i.e., the stated monthly rate for storage divided by average days per month (365 days per year / 12 months per year).
• Recorded User - The number of users is calculated (but not billed) daily. The average number of Recorded Users is calculated every first of the month (at 01:00 UTC). The result is rounded down if < 10%, else rounded up. Example for a 30-day period: If a Recorded User makes at least one call every day and another user makes at least one call twice a month. Then the average (32/30 = 1,067) is below 1.1 and is therefore seen as 1 Recorded User. If a second user now makes at least one call on 4 different days (34/30=1,133), this is no more than 1.1 and is then seen as 2 Recorded Users. The 'free level of 1 user' is then deducted from this number, and what remains is sent to the marketplace. In this example, if it is one per-user plan, in the first case, it is not sent (1 user free), and in the second case, 1 extra user is billed.
  

2.5 Price Metrics Billing & Insights
The Microsoft Marketplace handles the billing and charging of the CyberTwice Attest Service. We provide the usage details, components, and underlying metrics to the Microsoft Marketplace. The ATTEST Management Portal makes usage available to the Customer for reference purposes.  

2.6 Plan - Offer Specific Pricing Components
2.6.1 Currently, four (4) Pricing Plans (or Offers) are available in the Microsoft Marketplace as stipulated in §2.1. The basis for these plans is to provide for an increase in usage and accommodate different approaches in terms of the underlying metrics, i.e., either "User" or "Usage" based.

1. 2.5.2 "User"- The main driver of these Pricing Plans (Offer) is the number of Recorded Users. You pay a fixed monthly fee for each Recorded User, and each Recorder User brings a defined quantity of Recording Hours and Storage, forming a shared pool. The Overage is charged when the total usage on either Pricing Component is exceeded.
2. "Usage" - Within these Pricing Plans, the main driver is the usage, being the Recording Hours and the Storage. A fixed quantity (pool) of these Pricing Components is part of the Pricing Plan for a fixed monthly fee. You can add as many Recorded Users as You desire. They share the same pool, and only when the total usage is exceeded is Overage charged. The Pricing Plan defines the size of the pool. The various plans are introduced to provide for built-up to introduce staggered pricing.

2.6.2 It is noted that each plan has certain Pricing Components, which have a zero (0) pool size and thus are inherently Overage and charged "as-you-go", e.g., "Speech-to-Text".

2.6.3 You can vary between the Pricing Plans to obtain the most economical Pricing Plan. When switching between Pricing Plans, the new plan will become effective from the moment of the switch, so when We push the information to the MS Marketplace, the new plan will be applied, including the in-/decrement of the fixed monthly fee.​​​​​​​​​​

3. Suspension & Cancelation

3.1 In accordance with the Microsoft Commercial Marketplace Terms of Use and our Subscription Agreement, we may suspend or cancel your access to any Offers or CyberTwice Services for any of your violations of these terms. As per these terms, Suspension or Cancellation of access for non-payment could result in data loss. Therefore, for the CyberTwice ATTEST Offers, we uphold the policy specified in this article.

3.2 Suspension
When your account has been Suspended, the recording and processing of the resulting data function will remain active. However, the ATTEST Replay application in Microsofr-Teams will be blocked, so access to all your data is blocked, i.e., Customer can, amongst others, no longer play the calls. The ATTEST Management Portal remains available, but a clear banner indicates that the Subscription is Suspended. At the same time, a notification email will be sent to the Registered User, the user from whom the email account is used to subscribe to the CyberTwice ATTEST Service or any other email address entered for this purpose in the Attest Management Portal.

3.3 Cancellation (or Unsubscribe)
When a Customer Unsubscribes or Cancels a Subscription the recording and all processing of corresponding data will stop on the end date of the Subscription and access to the ATTEST Replay application will be blocked for all users.  The ATTEST Management Portal remains available displaying a clear banner indicating that the Subscription is Unsubscribed or Cancelled. Three (3) working days after the end date of the Subscription Term all data will be removed from the CyberTwice ATTEST Service, irrespective of the Retention Period set. The Registered User will be informed of the exact end date by email in a timely manner, typically ten (10) calendar days before and on the end date of the Subscription 

Note: If Customer wants to retain any data upon cancellation, Customer must download all relevant data for the CyberTwice ATTEST Service before the end date using the ATTEST Replay application. As per §3.1, We cannot be held responsible or liable for any loss of data caused by Customers' neglect in this matter.

3.4 Cancellation upon Suspension
In case the Subscription is Suspended as per §3.3 the only option for the Customer to access, and if desired retrieve, it's data is by paying the outstanding fees before the Subscription is automatically cancelled and the data is deleted as described in §3.3. Customer will be notified by email to the Registered User in a timely manner as per §3.3.

3.5 Cancellation Notice
Irrespective of the reason for Cancellation of the CyberTwice ATTEST Subscription it remains the sole responsibility of the Customer to ensure a proper abandonment of our CyberTwice Service, taking due notice of the stated in §3.3 Cancelation and §4.1(.3) Compliance Recording. At the same time, the sole obligation of Us is to inform the Registered User as stated in these Articles.

4.0 Specific Features

4.1 Retention
Retention is the total period that Interactions, including any associated data, like the Transcription, meta-data, remain stored in the Cybertwice ATTEST Service. The Retention Period can be set in the ATTEST Management Portal for all Recorded Groups.  When the Retention Period for an Interaction ends all Interaction Data will be automatically deleted from the CyberTwice ATTEST Service.

4.1 Compliance Recording
4.1.1 A selectable feature of the CyberTwice ATTEST Service is Compliance recording. Compliance recording is an inherent feature within Microsoft Teams, mainly intended for financial services organizations to ensure that every Interaction is recorded for attestation. A consequence of setting this feature is that, if for whatever reason a call from the Microsoft Teams environment is not accepted, or better said not recorded, by the CyberTwice ATTEST Service the Microsoft Teams call will not be established. In essence, the Microsoft Teams user will be prohibited by Microsoft Teams from interacting, i.e. prohibited from making phone calls, teams calls and teams meetings. 

4.1.2 As this feature is inherent to Microsoft Teams, We are bound by the workings of Microsoft Teams. The Compliance recording functionality can only be set by the running of a specific script by a properly authorized Administrator of a Microsoft tenant. This can only be done manually and not automatically by the CyberTwice ATTEST Service. The required script, including the instructions for running it, can be found in the ATTEST Management Portal. The en/-disabling of Compliance Recording can be set and controlled in the ATTEST Management Portal, but this will require, as indicated, manually (re-)running the appropriate script.

4.1.3 In case of cancellation of the CyberTwice ATTEST Subscription, the Customer itself needs to ensure that the recording function and especially the Compliance Recording feature is disabled before the end of the Subscription Term. We will inform the Registered User via email of this requirement in a timely manner, but cannot be held responsible or liable in any way if the Customer fails to take the appropriate actions causing Recorded Users to be prohibited to work with Microsoft Teams as per §4.1.2.

4.3 Encryption & Authenticity
4.3.1 Data Encryption
The CyberTwice ATTEST Service ensures that all Interactions with the CyberTwice ATTEST Service are fully encrypted using an AES-GCM encryption with a 256-bit length Key, a 96-bit Nonce (IV) and a 128-bit authentication tag. For each blob, a new random 256-bit key is generated. This key is only used once per blob.
The unique key is encrypted/wrapped with a 2048-bit RSA stored in an Azure-hosted (HSM) (Key Vault).

4.3.2 Authenticity
The authenticity of all Interactions stored within the CyberTwice ATTEST Service is ensured by signing of all the data. The signature is created by hashing (SHA256) a selected set of metadata/properties of the blob that includes the encryption metadata, tenant ID, the encrypted size and the original size. In order to verify the actual blob is authentic at least one block of data needs to be decrypted (this verifies the encryption key is correct). The hashed data is signed with an RSA-2048 key using RS256 (RSA signature with SHA-256)

4.4 Transcription (speech-to-text)
The CyberTwice ATTEST Service has an option to automatically convert captured speech/audio (also within a video interaction) to text using Microsoft Azure Cognitive Services. This service can be en-/disabled in the CyberTwice ATTEST Management Portal. We herewith note that unless explicitly included in the Pricing Plan the enabling of this service incurs Overage (=cost) to the Customer on a per-minute basis as per §2.4 and §2.6.3.